Password Best Practices

Identity theft is one of the biggest issues faced when securing data. One of the most commonly stolen personally identifiable information (PII) are login credentials. Just recently, US firm Hold Security announced that they discovered a series of web attacks that have likely amassed 1.2B combinations of stolen usernames and password, including 500M email addresses. They traced these thefts to servers based in Russia. Affected websites ranged from small, personal sites to those of Fortune 500 companies. Experts are saying that this is the single largest known collection of stolen login credentials ever discovered.

Keep your data out of the hands of cybercriminals. Usernames and passwords are the first, and sometimes final, gatekeepers to your data—passwords, especially, need to be strong and withstand the initial onslaught of a malicious attack.

Creating Easy-to-remember & Strong Passwords

Listed below are the most mentioned points of consensus among security experts on what a strong should be:

It should be at least eight (8) characters long.

It does not contain your username, real name, company name, or the name of someone close to you (e.g. spouse, children, pet).

It does not contain a complete word, contained in any dictionary.

It is significantly different from your previous passwords.

It includes a combination of upper and lowercase alphanumeric characters and symbols.

Instead of thinking “password,” think “passphrase.” Stringing a unique or nonsensical phrase together to form a password will help you remember it better. See the examples below:

Do change your password regularly to limit your account’s exposure to possible misuse. It is best to change online financial accounts every month or two, while corporate network passwords should be changed every three to four months.

Don’t use your browser to remember your passwords for you. Browser vulnerabilities are getting discovered often and cybercriminals have been known to exploit these flaws without compunction.

Do check if the website you’re entering PPI in has the prefix “https://.” HTTPS stands for HTTP over SSL. In this protocol, the data transferred is encrypted so that it cannot be read by anyone except the recipient.

Don’t write down your passwords. If you really need a hard copy, be sure to put it in a safe. If it is a digital file, avoid labeling it as “password.” Name it with something innocuous. Do encrypt this file as well.

Do have a different password for each account. You can opt to make versions of your base password so you can easily remember them all. (Example: CraZM0nk3y <3 c0tc4nD_FB; CraZM0nk3y <3 c0tc4nD_bank)

Alternative to Passwords: Public Key Authentication

Public key authentication is a more secure and flexible way to identify yourself to a login server. It is, however, more difficult to set up. In this verification process, you first need to generate a key pair consisting of a public key and a private key. The private key is used to generate signatures. You then copy the public key to the server under a certain name. When the server asks you to prove who you are, you can generate a signature using your private key. The server then verifies that signature and allows you to log in. Thus, if that server gets compromised, the attacker does not gain your private key or password; they only gain one signature and signatures cannot be re-used, so they get nothing.

There are several public-key algorithms available. The most common of which is the RSA and the DSA (also known as DSS), the US’ federal Digital Signature Standard.

Never store passwords in plain text as this makes it very easy for just about anyone to pick the passwords off that list. Encrypting passwords is also not an entirely secure option as anyone with admin privileges can decrypt them.

The best way is to store a cryptographic hash of the password. The most popular password scramblers are MD5, SHA-1, SHA-2 (a family of hash functions: SHA-256, SHA-384, SHA-512, and more), and SHA-3 (another family of hash functions). Note however that it is best not to use MD5 as its original author declared its end-of-life as it is no longer safe to use on commercial website. The same goes for SHA-1, which had several published theoretical attacks done to it.

Password Threats

Real-world Social Engineering. These threats include actions done in the real world or those used to manipulate an into steal information. An example can be nabbing a password written on a post-it lying about after luring a user away from her computer. Another way is to impersonate an IT engineer and ask another employee to give the password over the phone. One more example is when a malicious user tries to guess a target’s password by learning some information about that person and using these gathered bits to piece together the password.

Keyloggers. This type of surveillance spyware can either be a software or hardware that records every keystroke you make on your keyboard. In malware attacks, these components send the information they gather to the cybercriminal.

Sniffers. They look at raw data transmitted across a network and decipher these before packaging and sending them over to the perpetrator. It sniffs and reads every keystroke you send out from your machine, including passwords.

Brute-force Attacks. These attacks can be done physically or by using malicious bots and worms. They are exhaustive key search that systematically checks all possible words or keys until the right one is found.